Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting for Healthcare
Compliance
Phil Christensen
Sr. Solutions Architect
www.logicworks.com
H L C 3 0 1 - i
Patrick Combes
WW Tech Lead – HCLS
AWS
Mithun Mallick
Sr. Solutions Architect
AWS

Agenda
• HIPAA on AWS
• Common examples
• Logicworks:
• A typical HIPAA website stack
• Common challenges in legacy systems
• Our static ALB solution

AWS enables HIPAA compliance
AWS enables customers to build HIPAA-compliant applications that store, process, or
transmit Protected Health Information (PHI)
 Business Associate Agreement (BAA) addendum available
 HIPAA-eligible services from AWS for a broad range of applications
Compute Storage Database Managed Big
Data
Archiving Data
Warehousing
Networking

Growing set of HIPAA eligible services
0
7
10
19
23
29
31

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What the BAA requires
The essential requirements
Be able to audit and trace all activity related to PHI/PII
Encryption of PHI/PII data while at rest
Encryption of PHI/PII while in transit

The shared responsibility model
Security of the cloud
Expert guidelines and resources to
assist customers with compliant
application development
AWS delivers
Security in the cloud
Develop, validate, and secure
applications based on due diligence
and expert consultation
Customer responsibility
HIPAA and FedRAMP compliance requirements

Alignment to HIPAA security rule
HIPAA security
rule
(45 CFR Part 160 and Subparts A
and C of Part 164)
NIST 800-66
An introductory resource guide
for implementing the Health
Insurance Portability and
Accountability Act (HIPAA)
Security Rule
NIST 800-53
Moderate baseline + FedRAMP
controls

HIPAA security rule—Fine print explained
The security rule is located at 45 CFR Part 160 and subparts
A and C of Part 164
Title 45 of the Code of Federal Regulations—Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
Subpart C - Security Standards for the Protection of Electronic Protected Health Information
Section 164.308 - Administrative Safeguards
Section 164.310 - Physical Safeguards
Section 164.312 - Technical Safeguards
164.312(b)(2) – Standard: Audit Controls
Section 164.314 - Organizational Safeguards

Audit controls 164.312(b)(2)
164.312 (b)(2) Standard: Audit controls
Implement hardware, software, and/or procedural mechanisms that *record and examine
activity* in information systems that contain or use electronic protected health
information.

Audit controls 164.308(b)(2)—OCR audit protocol
§164.312(b):
Key activity
Determine the activities that will be tracked or audited
Audit procedures
Inquire of management as to whether audit controls have been implemented over information systems that contain or use
ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been
implemented over information systems that contain or use ePHI.
Key activity
Select the tools that will be deployed for auditing and system activity reviews.
Audit procedures
Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are
necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has
identified to capture the appropriate audit information.
Something you have to do.

AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account.
AWS Config
Record and evaluate configurations of your AWS resources. Enable
compliance auditing, security analysis, resource change tracking, and
troubleshooting.
Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes.
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect
your AWS accounts and workloads.
VPC Flow Logs
Capture information about the IP traffic going to and from network
interfaces in your VPC. Flow log data is stored using Amazon
CloudWatch Logs.
Gain the visibility you need
to spot issues before they
impact the business, improve
your security posture, and
reduce the risk profile of
your environment
Detective
control

Audit controls 164.312(b)(2)—OCR Audit protocol—
Select the tools
CloudTrail CloudWatch Logs Amazon
Kinesis
CloudWatch
Logs
subscription
consumer
(KCL-based)
CloudWatch
Logs
subscription
Amazon EC2
+
CloudWatch
Logs agent

HIPAA security rule—Fine print explained
…or“HowdoIderiveengineeringfromregulation?”
The security rule is located at 45 CFR Part 160 and subparts
A and C of Part 164.
Title 45 of the Code of Federal Regulations—Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
Subpart C - Security Standards for the Protection of Electronic Protected Health Information
Section 164.312 - Technical Safeguards
164.312(a)(1) – Standard: Access Control
164.312(a)(2) - Implementation Specification
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
164.312(e)(1) – Standard: Transmission Security
164.312(e)2) – Implementation Specification
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Encryption controls—164.312(a)(2)(iv)
164.312 (a)(2)(iv) Standard: Access control
Encryption and decryption (addressable). Implement a mechanism to encrypt and decrypt electronic
protected health information.
Guidance to render unsecured protected health information unusable, unreadable, or indecipherable to
unauthorized individuals.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

Guidance to render unsecured protected health information unusable, unreadable, or indecipherable
to unauthorized individuals
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an
algorithmic process to transform data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption)
and such confidential process or key that might enable decryption has not been breached. To
avoid a breach of the confidential process or key, these decryption tools should be stored on a
device or at a location separate from the data they are used to encrypt or decrypt.

Encryption Controls—164.312(a)(2)(iv)—OCR Audit
protocol
§164.312(a)(2)(iv):
Key activity
Encryption and decryption
Audit procedures
Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or
informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption
standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:
- Type(s) of encryption used.
- How encryption keys are protected.
- Access to modify or create keys is restricted to appropriate personnel.
- How keys are managed.

Example architectures

Management VPCUsers
Three-tier web application architecture
Archive
Logs
Bucket
S3
Lifecycle
Policies to
Glacier
CloudTrailAWS Config
Rules
CloudWatch
Alarms
NAT
us-west-2a
Bastion
us-west-2b
Potential use
for security
appliances
for
monitoring,
logging, etc.
us-west-2a
us-west-2b
Proxies
NAT
RDS
DB
DMZSubnet
PrivateSubnet
PrivateSubnet
RDS
DB
PrivateSubnet
PrivateSubnet
Production VPC
DMZSubnet
Proxies

Conversational bots

InternetBrowser
AWS Lambda
functions
Pre-existing
Endpoints on AWS
Any publicly
accessible
endpoint
Amazon CloudFront,
along with Lambda @
Edge
- Perform rewriting of
URL or cleanup of data
parameters.
Amazon API
Gateway
Amazon
DynamoDB
Amazon S3 – static
files. Connect to API
gateway end point
for dynamic content.
Corporate data center
Traditional server
Serverless web application
AWS WAF

Mobile Device
AWS Lambda
functions to ingest
data
Mobile diagnostics
Medical
Sensor
iOS
Android
Store on Amazon
DynamoDB
Amazon SNS
RESTful API’s using
Amazon API
Gateway
Amazon API
Gateway
Web app using
AWS Lambda
functions
Caregiver
Browser
User pool and
device sync using
Amazon Cognito.
Static edge content using
Amazon CloudFront.
Data cleanup using
Lambda@Edge
Send notifications

Required HIPAA configurations

Top HIPAA architecture issues
90%
Encryption in
transit (SSL)

Why network issues?

Agenda
• A typical HIPAA website stack
• Network challenges in legacy systems
• Our static ALB solution
Common network issues and how to resolve them

Typical HIPAA website stack

Expectations Reality

Legacy networking issues

Anti-patterns
Network Load
Balancers

Anti-patterns
That’s the domain name for the IP 1.2.3.4.5.6.
The TTL value says “300 seconds”
Client DNS Server

Anti-patterns
No Load
Balancing

A better solution

Better solution for multi-cert situations

Prerequisites
Internal Application Load Balancer
IP IP IP

A perfect task for Lambda

Get the solution now!
http://logicworks-oss.s3-website-us-east-1.amazonaws.com/static-alb.yaml

Thank you!

Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018

Similar a Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018 (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018